GHSA-574f-3g2m-x479

Suggest an improvement
Source
https://github.com/advisories/GHSA-574f-3g2m-x479
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-574f-3g2m-x479
Aliases
  • CVE-2025-14813
Downstream
Related
Published
2026-04-17T18:31:50Z
Modified
2026-07-03T18:29:34.748750441Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/RE:M/U:Red CVSS Calculator
Summary
Bouncy Castle for Java GOST 28147 CTR mode reuses keystream after 255 blocks
Details

The GOST 28147-2015 CTR mode implementation (G3413CTRBlockCipher) in the Legion of the Bouncy Castle BC-JAVA bcprov core module only increments the final byte of the counter, so the counter wraps after 255 blocks and the keystream is reused. Reusing CTR keystream allows an attacker who can observe two ciphertexts produced with the same key/IV to recover the XOR of the plaintexts, breaking confidentiality. Affects BC-JAVA from 1.59 before 1.84 (with backported fixes in 1.80.2 and 1.81.1).

Database specific
{
    "github_reviewed_at": "2026-06-30T19:45:20Z",
    "nvd_published_at": "2026-04-15T10:16:38Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-323"
    ],
    "severity": "CRITICAL"
}
References

Affected packages

Maven
org.bouncycastle:bcprov-jdk14

Package

Name
org.bouncycastle:bcprov-jdk14
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk14

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.59
Last affected
1.80.1

Affected versions

1.*
1.59
1.60
1.61
1.62
1.63
1.64
1.65
1.67
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.75
1.76
1.77
1.78
1.78.1
1.79
1.80

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
org.bouncycastle:bcprov-jdk15to18

Package

Name
org.bouncycastle:bcprov-jdk15to18
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk15to18

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.59
Last affected
1.80.1

Affected versions

1.*
1.63
1.64
1.65
1.66
1.67
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.75
1.76
1.77
1.78
1.78.1
1.79
1.80

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
org.bouncycastle:bcprov-jdk18on

Package

Name
org.bouncycastle:bcprov-jdk18on
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk18on

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.59
Fixed
1.80.2

Affected versions

1.*
1.71
1.71.1
1.72
1.73
1.74
1.75
1.76
1.77
1.78
1.78.1
1.79
1.80

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
last_known_affected_version_range
"<= 1.80.1"
org.bouncycastle:bcprov-debug-jdk14

Package

Name
org.bouncycastle:bcprov-debug-jdk14
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-debug-jdk14

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.59
Last affected
1.80.1

Affected versions

1.*
1.59
1.60
1.64
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.78
1.79
1.80

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
org.bouncycastle:bcprov-debug-jdk15to18

Package

Name
org.bouncycastle:bcprov-debug-jdk15to18
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-debug-jdk15to18

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.59
Last affected
1.80.1

Affected versions

1.*
1.64
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.75
1.76
1.77
1.78
1.78.1
1.79

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
org.bouncycastle:bcprov-debug-jdk18on

Package

Name
org.bouncycastle:bcprov-debug-jdk18on
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-debug-jdk18on

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.59
Last affected
1.80.1

Affected versions

1.*
1.71
1.72
1.73
1.74
1.75
1.76
1.77
1.78
1.78.1
1.79

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
org.bouncycastle:bcprov-ext-jdk14

Package

Name
org.bouncycastle:bcprov-ext-jdk14
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-ext-jdk14

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.59
Last affected
1.78.1

Affected versions

1.*
1.60
1.64
1.65
1.67
1.68
1.69
1.70
1.71
1.72
1.73
1.75
1.76
1.78
1.78.1

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
org.bouncycastle:bcprov-ext-jdk15to18

Package

Name
org.bouncycastle:bcprov-ext-jdk15to18
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-ext-jdk15to18

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.59
Last affected
1.78.1

Affected versions

1.*
1.64
1.67
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.75
1.76
1.77
1.78
1.78.1

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
org.bouncycastle:bcprov-ext-jdk18on

Package

Name
org.bouncycastle:bcprov-ext-jdk18on
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-ext-jdk18on

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.59
Last affected
1.78.1

Affected versions

1.*
1.71
1.72
1.73
1.74
1.75
1.76
1.77
1.78
1.78.1

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
org.bouncycastle:bcprov-ext-debug-jdk14

Package

Name
org.bouncycastle:bcprov-ext-debug-jdk14
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-ext-debug-jdk14

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.59
Last affected
1.74

Affected versions

1.*
1.60
1.68
1.69
1.70
1.71
1.72
1.73
1.74

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
org.bouncycastle:bcprov-ext-debug-jdk15to18

Package

Name
org.bouncycastle:bcprov-ext-debug-jdk15to18
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-ext-debug-jdk15to18

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.59
Last affected
1.77

Affected versions

1.*
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.75
1.76
1.77

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
org.bouncycastle:bcprov-ext-debug-jdk18on

Package

Name
org.bouncycastle:bcprov-ext-debug-jdk18on
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-ext-debug-jdk18on

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.59
Last affected
1.77

Affected versions

1.*
1.71
1.72
1.73
1.74
1.75
1.76
1.77

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
org.bouncycastle:bcprov-jdk14

Package

Name
org.bouncycastle:bcprov-jdk14
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk14

Affected ranges

Affected versions

1.*
1.81.0

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
org.bouncycastle:bcprov-jdk15to18

Package

Name
org.bouncycastle:bcprov-jdk15to18
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk15to18

Affected ranges

Affected versions

1.*
1.81.0

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
org.bouncycastle:bcprov-jdk18on

Package

Name
org.bouncycastle:bcprov-jdk18on
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk18on

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.81.0
Fixed
1.81.1

Affected versions

1.*
1.81
1.81.0

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
org.bouncycastle:bcprov-debug-jdk14

Package

Name
org.bouncycastle:bcprov-debug-jdk14
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-debug-jdk14

Affected ranges

Affected versions

1.*
1.81.0

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
org.bouncycastle:bcprov-debug-jdk15to18

Package

Name
org.bouncycastle:bcprov-debug-jdk15to18
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-debug-jdk15to18

Affected ranges

Affected versions

1.*
1.81.0

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
org.bouncycastle:bcprov-debug-jdk18on

Package

Name
org.bouncycastle:bcprov-debug-jdk18on
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-debug-jdk18on

Affected ranges

Affected versions

1.*
1.81.0

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
org.bouncycastle:bcprov-jdk14

Package

Name
org.bouncycastle:bcprov-jdk14
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk14

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.82
Fixed
1.84

Affected versions

1.*
1.82
1.83

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
last_known_affected_version_range
"<= 1.83"
org.bouncycastle:bcprov-jdk15to18

Package

Name
org.bouncycastle:bcprov-jdk15to18
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk15to18

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.82
Fixed
1.84

Affected versions

1.*
1.82
1.83

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
last_known_affected_version_range
"<= 1.83"
org.bouncycastle:bcprov-jdk18on

Package

Name
org.bouncycastle:bcprov-jdk18on
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk18on

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.82
Fixed
1.84

Affected versions

1.*
1.82
1.83

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
last_known_affected_version_range
"<= 1.83"
org.bouncycastle:bcprov-debug-jdk14

Package

Name
org.bouncycastle:bcprov-debug-jdk14
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-debug-jdk14

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.82
Fixed
1.84

Affected versions

1.*
1.82
1.83

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
last_known_affected_version_range
"<= 1.83"
org.bouncycastle:bcprov-debug-jdk15to18

Package

Name
org.bouncycastle:bcprov-debug-jdk15to18
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-debug-jdk15to18

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.82
Fixed
1.84

Affected versions

1.*
1.82
1.83

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
last_known_affected_version_range
"<= 1.83"
org.bouncycastle:bcprov-debug-jdk18on

Package

Name
org.bouncycastle:bcprov-debug-jdk18on
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-debug-jdk18on

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.82
Fixed
1.84

Affected versions

1.*
1.82
1.83

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json"
last_known_affected_version_range
"<= 1.83"